DDoS Growing; CUs Unprepared

The DDoS threat keeps growing. Third-party experts and credit union executives—primarily speaking anonymously on the subject—said most credit unions have done nothing to protect themselves against the threat, which has been increasingly linked with theft of funds at financial institutions.

“They are remarkably naive,” said an expert, who asked to remain anonymous, of credit unions.

Added a senior engineer at a Northeast credit union with more than $500 million in assets, who also requested anonymity, “We haven’t had any outages and we haven’t installed any new defenses.”

Two things have happened in the past year that may change how credit union executives view DDoS.

The first is that the money center banks have improved their ability to fend off DDoS attacks, contracting with third party mitigation vendors that make their sites difficult to take offline. That means DDoS attackers may shift their focus to easier targets, experts said.

The other fact: two researchers, Gartner analyst Avivah Litan and security blogger Brian Krebs, have reported on cases where DDoS has been used as a distraction to help criminals loot bank accounts while financial institution security staff are mired in fighting off DDoS.

Those thefts may be game changers.

Initially, many credit union executives shrugged off DDoS as an annoyance, not entirely different from boisterous midsummer thunderstorms that might knock out power for an hour or two.

“DDoS had simply been an inconvenience. The scary trend is that DDoS is used in association with other attacks, as IT scrambles to defend against DDoS,” said Tim Clouse, vice president of information technology at Advantis, a $1 billion credit union in Milwaukie, Ore.

Some of the largest credit unions have signed on with so-called DDoS mitigation providers used by large banks.

An information technology vice president at one of the nation’s largest credit unions said, “We still haven’t seen anything like a DDoS. We’ve got a contract with a large mitigation provider.”

The executive, who also requested anonymity, said he feels his institution is well protected, at least against the DDoS attacks that are known to have occurred.

However, that’s the exception. Mitigation contracts can cost $100,000 or more annually, said sources, and for many credit unions that is a budget stretch.

So, credit unions are looking at alternatives. One option is asking vendors to build DDoS mitigation into the services they provide, particularly online banking and Internet access.

A chief information officer at a midsized Western credit union said his institution looks to vendors for DDoS defenses, but those vendors have themselves suffered outages.

“We haven’t had any DDoS attacks. Our service providers for online banking (both consumer and business) have been attacked, but the interruptions were fairly short in both instances,” said the executive, who also requested anonymity.

A vice president at a large Northwestern credit union said his institution relies on its online banking provider to handle DDoS mitigation. The results, so far, have been acceptable.

The executive elaborated: “They have DDoS mitigation processes in place. They have done this for us for two years. It’s been successful. We have occasionally seen performance loss—we have had a few attacks—but overall, our site has remained accessible.”

Hugh Smallwood, chief technology officer at the Hagerstown, Md., CUSO Ongoing Operations, predicted that within 12 to 18 months, the largest carriers and service providers—think companies like AT&T and TimeWarner—will routinely build DDoS mitigation into their services.

Relying on vendors to secure critical systems may not be a cure-all, however.

The director of IT at a large Northeast credit union, who requested anonymity because he isn’t authorized to discuss his credit union’s defenses, said he didn’t like his Internet banking provider’s answer when he asked about their DDoS defenses.

“Their response basically poo-pooed my concerns, and their tone was fairly dismissive,” he said. “Then they were attacked.”

Just about every credit union that has online banking and a web presence now needs DDoS defenses, experts say.

“We will see more DDoS and we will see more from al Qassam,” Smallwood said. “It may be in two months, it may be in 12. But know it will come again and credit unions need to be prepared.”